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Router sind spezielle Rechner, die das interne Netzwerk eines Unternehmens Oder eines Internet-Providers 
knupfen helfen, aber auch Internet -Traffic weiterleiten und verarbeiten. Die NSA-Abteilung ANT hat dem 
Katalog zufolge, der dem SPIEGEL vorliegt, Implantate fur Profi-Router von mindestens zwei Herstellern im 
Angebot: Juniper und Huawei. Ob es weitere ANT-Produkte fur solche Gerate gibt, ist unbekannt. Die ANT- 
Implantate fur Router verstecken sich im Bios, also der untersten Software- Ebene des jeweiligen Gerats. Dc 
stellt sicher, dass sie sogar dann weiterarbeiten und andere Spah-Software nachladen konnen, wenn der 
Rechner neu gestartet Oder sogar ein neues Betriebssystem aufgespielt wird. Die Router, deren 
Typbezeichnungen im Katalog auftauchen, sind fur kleine, mittlere und groBe Unternehmen konzipiert - ein 
auch fur die Rechenzentren von Internet- und Mobilfunkanbietern. 

Huawei Router 

Das chinesische Unternehmen Huawei gehort mittlerweile zu den weItgroBten Herstellern von 
Netzwerkausrustung. Im zweiten Quartal 2013 lag Huawei dem Marktforschungsunternehmen Infonetics 
zufolge auf Platz 2, was den Umsatz mit Routern und Switches fur Mobilfunk- und Internet-Provider angeht 
hinter Cisco und vor Juniper. 

HEADWATER ist eine permanente Backdoor (PBD) fur Huawei Router, die resistent gegenuber Firmware 
Updates im Boot-ROM verbleiben und so die Fernsteuerung des Gerats ermoglichen soil. 

Juniper J-Series 

Juniper-Router der Serie J sind fur den Einsatz in Unternehmen gedacht, sie verbinden Server und Desktop 
Rechner mit dem Unternehmensnetzwerk und dem Internet. 

SCHOOLMONTANA sind Software- Implantate fur Serie-J-Router der Firma Juniper. 

Juniper M-Series 

Juniper-Router der Serie M sind fur Unternehmen und Service- Provider gemacht. Sie kommen also auch in 
den Rechenzentrum von Firmen zum Einsatz, die anderen Unternehmen und Privatkunden Internetanschlu: 
zur Verfugung stellen. 

SIERRAMONTANA ist ein Software- Implantat fur Juniper-Router der M-Serie, das sich laut des NSA- 
Dokuments resistent gegenuber Softwareupdates im Bios einnistet. 

Juniper T-Series 

Die Router der Serie T werden dem Hersteller Juniper zufolge von "fuhrenden Service- Providern eingesetzt 
urn groBe Festnetz-, Mobil-, Video- und Cloud-Netzwerke zu betreiben". 

STUCCOMONTANA ist offenbar ein Implantat fur Juniper T-Series-Router, das als Bios-Modifikation auch 
Softwareupdates uberstehen soil. 
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HEADWATER 

ANT Product Data 



(TS//SI//REL) HEADWATER is a Persistent Backdoor (PBD) software implant for 
selected Huawei routers. The implant will enable covert functions to be remotely 
executed within the router via an Internet connection. 
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(TS//SI/tREL) HEADWATER Persistence Implant Concept of Operations 
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(TS//SI//REL) HEADWATER PBD implant will be transferred remotely over 
the Internet to the selected target router by Remote Operations Center 
(ROC) personnel. After the transfer process is complete, the PBD will be 
installed in the router's boot ROM via an upgrade command. The PBD will 
then be activated after a system reboot. Once activated, the ROC 
operators will be able to use DNT's HAMMERMILL Insertion Tool (HIT) to 
control the PBD as it captures and examines all IP packets passing through 
the host router. 



(TS//SI//REL) HEADWATER is the cover term for the PBD for Huawei 
Technologies routers. PBD has been adopted for use in the joint NSA/CIA 
effort to exploit Huawei network equipment. (The cover name for this joint 
project is TURBOPANDA.) 



Status: (U//FOUO) On the shelf ready for deployment. 
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SCHOOLMONTANA 

ANT Product Data 



(TS//SI//REL) SCHOOLMONTANA provides persistence for DNT implants. The DNT 
implant will survive an upgrade or replacement of the operating system - including 
physically replacing the router's compact flash card. 
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(S//SI//REL) SCHOOLMONTANA Concept of Operations 

(TS//SI//REL) Currently, the intended DNT Implant to persist is 
VALIDATOR, which must be run as a user process on the target 
operating system. The vector of attack is the modification of the target's 
BIOS. The modification will add the necessary software to the BIOS and 
modify its software to execute the SCHOOLMONTANA implant at the end 
of its native System Management Mode (SMM) handler. 

(TS//SI//REL) SCHOOLMONTANA must support all modern versions of 
JUNOS, which is a version of FreeBSD customized by Juniper. Upon 
system boot, the JUNOS operating system is modified in memory to run 
the implant, and provide persistent kernel modifications to support 
implant execution. 

(TS//SI//REL) SCHOOLMONTANA is the cover term for the persistence technique 
to deploy a DNT implant to Juniper J-Series routers. 

Status: (U//FOUO) SCHOOLMONTANA completed and released by ANT May 30, 
2008. It is ready for deployment. 
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SIERRAMONTANA 

ANT Product Data 



(TS//SI//REL) SIERRAMONTANA provides persistence for DNT implants. The DNT 

implant will survive an upgrade or replacement of the operating system - including 06/24/08 

physically replacing the router’s compact flash card. 
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(TS//SI//REL) Currently, the intended DNT Implant to persist is 
VALIDATOR, which must be run as a user process on the target 
operating system. The vector of attack is the modification of the target's 
BIOS. The modification will add the necessary software to the BIOS and 
modify its software to execute the SIERRAMONTANA implant at the end 
of its native System Management Mode (SMM) handler. 

(TS//SI//REL) SIERRAMONTANA must support all modern versions of 
JUNOS, which is a version of FreeBSD customized by Juniper. Upon 
system boot, the JUNOS operating system is modified in memory to run 
the implant, and provide persistent kernel modifications to support 
implant execution. 



(TS//SI//REL) SIERRAMONTANA is the cover term for the persistence technique to 
deploy a DNT implant to Juniper M-Series routers. 



Unit Cost: $ 

Status: (U//FOUO) SIERRAMONTANA under development and is expected to be 
released by 30 November 2008. 
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STUCCOMONTANA 

ANT Product Data 



(TS//SI//REL) STUCCOMONTANA provides persistence for DNT implants. The 
DNT implant will survive an upgrade or replacement of the operating system - 
including physically replacing the router’s compact flash card. 
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(S//SI//REL) STUCCOMONTANA Concept of Operations 

(TS//SI//REL) Currently, the intended DNT Implant to persist is 
VALIDATOR, which must be run as a user process on the target operating 
system. The vector of attack is the modification of the target's BIOS. The 
modification will add the necessary software to the BIOS and modify its 
software to execute the STUCCOMONTANA implant at the end of its native 
System Management Mode (SMM) handler. 

(TS//SI//REL) STUCCOMONTANA must support all modern versions of 
iUNOS, which is a version of FreeBSD customized by Juniper. Upon system 
boot, the JUNOS operating system is modified in memory to run the 
implant, and provide persistent kernel modifications to support implant 
execution. 

(TS//SI//REL) STUCCOMONTANA is the cover term for the persistence technique to 
deploy a DNT implant to Juniper T-Series routers. 

Unit Cost: $ 

Status: (U//FOUO) STUCCOMONTANA under development and is expected to be 
released by 30 November 2008. 

POC: U//FOUO S32222, L!QV 
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